Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With W32\robot Afl Worm?


  • Please log in to reply
28 replies to this topic

#1 waynerockit

waynerockit

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand
  • Local time:04:00 PM

Posted 08 June 2006 - 09:48 PM

Hi there,

Help! I think this rather nasty worm has infected my pc..Sorry I am not a 100% sure that it is w32\robot afl worm?

I am running Windows Live Onecare and keeps telling me a 'p2pnetworking.exe' is on my system. I cannot access my regedit - tells me another programme is using it, task manager - can't ctrl, alt delete (i have copied it and renamed it on my desktop to get it working) and finally when i try to install xp windows disc a message informs me it is not recognised by win32?. Previously a toolbar888 was in my system but this (for now anyway) appears to have gone...

Something called Kaazar reappears and gets blocked too! Windows live Onecare is also blocking something called 'installer'?

The system feels slow and does take a bit to load up. I have ran adaware, spybot, asquare and windows live onecare...I've obviously updated these programmes aswell..They show the system to be clean but i the p2pnetworking reappears in system 32...

Your help is also much obviously apperciated and needed!

Wayne Rockit

Logfile of HijackThis v1.99.1
Scan saved at 2:24:59 p.m., on 9/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\VAS\VAS System Tools\start.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\a-squared\a2start.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [VAS Free System Tools] C:\Program Files\VAS\VAS System Tools\start.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: msconfig.exe
O4 - Global Startup: taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144296331406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627635437
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 04:47 AM

Hi waynerockit and Welcome to the Bleeping Computer!


1. Please download Ewido Anti-Malware
  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


Once in Safe Mode--> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O4 - Global Startup: msconfig.exe

O4 - Global Startup: taskmgr.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


4.Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Edited by Cretemonster, 09 June 2006 - 04:50 AM.


#3 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand

Posted 09 June 2006 - 07:37 AM

Greetings from New Zealand!

Yes system is working again seems to be taking a little while to load on start up but otherwise regedit, task manager are all working..Fantastic result! Again thanks for the help I've got a pressing essay due in for uni so i can stop worrying about the compt and get down to business...

Just a couple of quick queries

1 - Do you think I should run windows xp set up and utilise the repair option or re install my operating system? hmm i keep thinking my system may not be running right or be safe..I'm getting alittle paranoid..

2 - Finally, Ive found some backed up reg files stored under a folder called RFA_backups (under shared folders). I am not sure why these are here?
Sample: REGEDIT4 [HKEY_CURRENT_USER\SKYPE\PHONE]
"IMPORTANTCONTACTSPATH "="C:\\PROGRAM FILES\\SKYPE\\PHONE\\IMPORTANTCONTACTS\\"
The list goes on with references to word documents, wkswp.exe"="2003 etc, programme exe,, cache references etc..

Again thank u for your help and as requested here is a copy of the files u wanted to see!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:51:51 p.m., 9/06/2006
+ Report-Checksum: C887C21F

+ Scan result:

No infected objects found.


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:09:29 a.m., on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\VAS\VAS System Tools\start.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [VAS Free System Tools] C:\Program Files\VAS\VAS System Tools\start.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144296331406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145627635437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Oh and finally is everything ok on this hijack list?

regards

Wayne

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 04:37 PM

Unless your getting errors from Windows,Im not sure a repair serves a purpose in this case.


Finally, Ive found some backed up reg files stored under a folder called RFA_backups (under shared folders). I am not sure why these are here?
Sample: REGEDIT4 [HKEY_CURRENT_USER\SKYPE\PHONE]
"IMPORTANTCONTACTSPATH "="C:\\PROGRAM FILES\\SKYPE\\PHONE\\IMPORTANTCONTACTS\\"
The list goes on with references to word documents, wkswp.exe"="2003 etc, programme exe,, cache references etc..


I havent a clue what that is??


HijackThis log looks OK,lets get a bit closer look.


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with the reports from WinPFind and Panda

#5 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand
  • Local time:04:00 PM

Posted 09 June 2006 - 09:48 PM

Hi there,

As requested here are the following reports,

Active scan

Incident Status Location
Adware:adware/maxfiles Not disinfected c:\program files\commfiles\download

The following is the WinPfind file

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 7.0.5346.5

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 12/10/2000 12:48:18 a.m. 41984 C:\WINDOWS\SYSTEM32\ccrpDtp6.ocx
PEC2 5/08/2004 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 9/05/2003 2:14:06 a.m. 75264 C:\WINDOWS\SYSTEM32\Gifxc.ocx
PTech 23/05/2006 5:26:00 p.m. 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/08/2004 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 5/08/2004 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 7/02/2004 1:29:20 a.m. 23040 C:\WINDOWS\SYSTEM32\Shadow.ocx
winsync 5/08/2004 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 23/05/2006 5:25:52 p.m. 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/06/2006 1:46:56 p.m. S 2048 C:\WINDOWS\bootstat.dat
9/06/2006 9:04:40 p.m. H 54156 C:\WINDOWS\QTFont.qfn
8/06/2006 1:25:54 p.m. RHS 227 C:\WINDOWS\assembly\Desktop.ini
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\pubpol1.dat
8/06/2006 1:30:12 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
8/06/2006 1:30:14 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
22/04/2006 5:44:06 p.m. H 0 C:\WINDOWS\inf\oem12.inf
8/06/2006 1:28:52 p.m. H 0 C:\WINDOWS\inf\oem13.inf
13/04/2006 11:31:00 p.m. S 44662 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ie7beta2.cat
23/05/2006 5:27:00 p.m. S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
9/05/2006 10:42:46 p.m. S 26352 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WMFDist11.cat
9/05/2006 10:56:16 p.m. S 22624 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\wmp11.cat
11/04/2006 2:34:52 p.m. S 10443 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Wudf01000.cat
10/06/2006 1:47:02 p.m. H 12288 C:\WINDOWS\system32\config\default.LOG
10/06/2006 1:47:12 p.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/06/2006 1:46:58 p.m. H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/06/2006 1:47:16 p.m. H 73728 C:\WINDOWS\system32\config\software.LOG
10/06/2006 1:47:12 p.m. H 929792 C:\WINDOWS\system32\config\system.LOG
10/06/2006 1:36:26 a.m. H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/06/2006 1:28:48 p.m. S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
10/06/2006 1:45:56 p.m. S 569 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 25292 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 739 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 31835 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 518 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 1:49:00 a.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
8/06/2006 1:28:48 p.m. S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
10/06/2006 1:45:56 p.m. S 142 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 156 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 1:49:00 a.m. S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
3/06/2006 10:17:18 p.m. H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
10/06/2006 1:50:10 p.m. H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
10/06/2006 1:46:00 p.m. H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 5/08/2004 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/09/2005 9:35:12 a.m. 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 5/08/2004 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 p.m. 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 5/08/2004 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 23/01/2005 10:33:44 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/05/2006 4:38:00 p.m. 1573 C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/05/2006 4:38:00 p.m. 0 C:\Documents and Settings\Owner\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{5FE42F83-B8A0-4F61-BA49-11019EA70003} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :
{F2CF5485-4E02-4F68-819C-B92DE9277049} = &Links : C:\WINDOWS\system32\ieframe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OneCareUI "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
VAS Free System Tools C:\Program Files\VAS\VAS System Tools\start.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
VAS Memory Optimizer C:\Program Files\VAS\VAS System Tools\mem.exe /ags

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mobile User VPN.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msconfig.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DellSupport
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxhkcmd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxpers
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxtray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickClean Imonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAS Memory Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Defender
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinFast Schedule
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
WinUpdate.exe C:\Program Files\Windows\WinUpdate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/06/2006 1:53:15 p.m.

again thanks for your help!

regards

Wayne

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 04:34 AM

Copy all the text in the quote box to a blank notepad page and Save it to the Desktop with the name Clr.reg but dont run it just yet.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5FE42F83-B8A0-4F61-BA49-11019EA70003}"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"WinUpdate.exe"=-



Restart in Safe Mode--> Locate and Delete

C:\Program Files\Windows\WinUpdate.exe<-- File


Double Click Clr.reg and allow it to merge into the registry.


Now navigate to the Program Files folder,search for a folder labeled--> commfiles

Dont do anything with it just yet,I just need to know if you find a folder matching that name exactly??

Im not concerened with the Common Files folder thats inside the Program Files folder.


Next,I want you to navigate to this file

C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf

Right Click and Select Properties,look through all the info there and see if you can associate it with anything installed on the PC??


Still in Safe Mode--> Scan with WinPFind once more.


Restart Normal and post the WinPFind log and let me know what ya found out about the file I just asked about and the folder in program files??

#7 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand

Posted 10 June 2006 - 05:51 AM

Hi there,

Went through tasks as outlined,

Didn't find a file named commfiles - I think it was there it may have been deleted? It contained a massive list of files (games, programmes, movies) all with viruses...It may have been picked up by the virus scan and I manually deleted the folder

On the file MsftWdf_user_01_00_oo.Wdf - The only thing I could see that was associated with it was under security tab it listed the following,

Group or users names
Administrators [wayne 9298389BD\Admin] - had four boxes ticked
Owner [Wayne 9298389BD\Admin] had four boxes ticked
System had four boxes ticked
User [Wayne 9298389BD] only had exe and read rights


WinPFind doc as requested

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 7.0.5346.5

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 12/10/2000 12:48:18 a.m. 41984 C:\WINDOWS\SYSTEM32\ccrpDtp6.ocx
PEC2 5/08/2004 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 9/05/2003 2:14:06 a.m. 75264 C:\WINDOWS\SYSTEM32\Gifxc.ocx
PTech 23/05/2006 5:26:00 p.m. 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/08/2004 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 5/08/2004 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 7/02/2004 1:29:20 a.m. 23040 C:\WINDOWS\SYSTEM32\Shadow.ocx
winsync 5/08/2004 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 23/05/2006 5:25:52 p.m. 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/06/2006 9:39:06 p.m. S 2048 C:\WINDOWS\bootstat.dat
9/06/2006 9:04:40 p.m. H 54156 C:\WINDOWS\QTFont.qfn
8/06/2006 1:25:54 p.m. RHS 227 C:\WINDOWS\assembly\Desktop.ini
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\pubpol1.dat
8/06/2006 1:30:12 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
8/06/2006 1:30:14 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
22/04/2006 5:44:06 p.m. H 0 C:\WINDOWS\inf\oem12.inf
8/06/2006 1:28:52 p.m. H 0 C:\WINDOWS\inf\oem13.inf
13/04/2006 11:31:00 p.m. S 44662 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ie7beta2.cat
23/05/2006 5:27:00 p.m. S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
9/05/2006 10:42:46 p.m. S 26352 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WMFDist11.cat
9/05/2006 10:56:16 p.m. S 22624 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\wmp11.cat
10/06/2006 9:39:12 p.m. H 12288 C:\WINDOWS\system32\config\default.LOG
10/06/2006 9:39:22 p.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/06/2006 9:39:06 p.m. H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/06/2006 9:45:46 p.m. H 98304 C:\WINDOWS\system32\config\software.LOG
10/06/2006 9:39:20 p.m. H 954368 C:\WINDOWS\system32\config\system.LOG
10/06/2006 1:36:26 a.m. H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/06/2006 1:28:48 p.m. S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
10/06/2006 9:38:10 p.m. S 569 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 25292 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 739 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 31835 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 518 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 7:39:00 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
8/06/2006 1:28:48 p.m. S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
10/06/2006 9:38:10 p.m. S 142 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 156 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 7:39:00 p.m. S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
3/06/2006 10:17:18 p.m. H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
10/06/2006 9:42:18 p.m. H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
10/06/2006 9:38:06 p.m. H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 5/08/2004 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/09/2005 9:35:12 a.m. 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 5/08/2004 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 p.m. 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSaTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 5/08/2004 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 23/01/2005 10:33:44 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/05/2006 4:38:00 p.m. 1573 C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/05/2006 4:38:00 p.m. 0 C:\Documents and Settings\Owner\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{5FE42F83-B8A0-4F61-BA49-11019EA70003} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :
{F2CF5485-4E02-4F68-819C-B92DE9277049} = &Links : C:\WINDOWS\system32\ieframe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OneCareUI "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
VAS Free System Tools C:\Program Files\VAS\VAS System Tools\start.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
VAS Memory Optimizer C:\Program Files\VAS\VAS System Tools\mem.exe /ags

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mobile User VPN.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msconfig.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DellSupport
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxhkcmd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxpers
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxtray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickClean Imonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAS Memory Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Defender
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinFast Schedule
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
WinUpdate.exe C:\Program Files\Windows\WinUpdate.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/06/2006 10:17:02 p.m.

regards,

Wayne

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 09:47 AM

If you will,run the reg file again.

Reboot back in Safe Mode again and Scan with WinPFind.


Restart the Machine and Please run the F-Secure Online Scanner
  • Follow the directions in the F-Secure page for proper Installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Custom Scan and be sure the following are checked.
    • Scan whole System
    • Scan all files
    • Scan whole system for rootkits
    • Scan whole system for spyware
    • Scan inside archives
    • Use advanced heuristics
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the I want to decide item by item button.
  • For each item found,Select Disinfect and Click Next
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with the WinPFind log.


#9 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand
  • Local time:04:00 PM

Posted 10 June 2006 - 05:18 PM

Hi there,

As requested the following reports

Scanning Report
Sunday, June 11, 2006 08:51:19 - 10:07:14
Computer name: WAYNE-9298389BD
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 7 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
Trojan-Downloader.NSIS.Agent.u (virus)
C:\Documents and Settings\Owner\.housecall\Quarantine\Dc13.exe.bac_a03440 (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 167730
System: 4028
Not scanned: 47
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 5
Submitted: 1
Files not scanned:
xP 0P >C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\ULEAD SYSTEMS\PRODUCTNAME\VER\U32BASE.CFG
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL10.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL11.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL12.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL13.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL14.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL15.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL16.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL17.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL18.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL2.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL3.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL4.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL5.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL6.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL7.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL8.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MissingsharedDLL9.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Startupfiledoesnotexist.zip\sbRecovery.reot -




WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 7.0.5346.5

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 12/10/2000 12:48:18 a.m. 41984 C:\WINDOWS\SYSTEM32\ccrpDtp6.ocx
PEC2 5/08/2004 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 20/04/2006 8:09:20 a.m. 619156 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 9/05/2003 2:14:06 a.m. 75264 C:\WINDOWS\SYSTEM32\Gifxc.ocx
PTech 23/05/2006 5:26:00 p.m. 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/08/2004 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 5/08/2004 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 7/02/2004 1:29:20 a.m. 23040 C:\WINDOWS\SYSTEM32\Shadow.ocx
winsync 5/08/2004 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 23/05/2006 5:25:52 p.m. 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/06/2006 8:20:50 a.m. S 2048 C:\WINDOWS\bootstat.dat
9/06/2006 9:04:40 p.m. H 54156 C:\WINDOWS\QTFont.qfn
8/06/2006 1:25:54 p.m. RHS 227 C:\WINDOWS\assembly\Desktop.ini
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
8/06/2006 1:25:54 p.m. RH 0 C:\WINDOWS\assembly\pubpol1.dat
8/06/2006 1:30:12 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
8/06/2006 1:30:14 p.m. RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
22/04/2006 5:44:06 p.m. H 0 C:\WINDOWS\inf\oem12.inf
8/06/2006 1:28:52 p.m. H 0 C:\WINDOWS\inf\oem13.inf
13/04/2006 11:31:00 p.m. S 44662 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ie7beta2.cat
23/05/2006 5:27:00 p.m. S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
9/05/2006 10:42:46 p.m. S 26352 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WMFDist11.cat
9/05/2006 10:56:16 p.m. S 22624 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\wmp11.cat
11/06/2006 8:20:56 a.m. H 12288 C:\WINDOWS\system32\config\default.LOG
11/06/2006 8:21:06 a.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/06/2006 8:20:52 a.m. H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/06/2006 8:21:10 a.m. H 65536 C:\WINDOWS\system32\config\software.LOG
11/06/2006 8:21:06 a.m. H 942080 C:\WINDOWS\system32\config\system.LOG
10/06/2006 1:36:26 a.m. H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/06/2006 1:28:48 p.m. S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
11/06/2006 8:20:00 a.m. S 569 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 25292 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 739 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 31835 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 518 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 7:39:00 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
8/06/2006 1:28:48 p.m. S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
11/06/2006 8:20:00 a.m. S 142 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\3C83474D61E624A4F9844DF935AFE217
9/06/2006 8:26:14 p.m. S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/06/2006 8:53:30 p.m. S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
8/06/2006 2:24:10 p.m. S 156 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
9/06/2006 8:26:10 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
8/06/2006 1:28:52 p.m. S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
8/06/2006 1:28:44 p.m. S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
8/06/2006 1:33:12 p.m. S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
8/06/2006 8:53:36 p.m. S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
8/06/2006 2:24:14 p.m. S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6
10/06/2006 7:39:00 p.m. S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
3/06/2006 10:17:18 p.m. H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
11/06/2006 8:24:04 a.m. H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
11/06/2006 8:20:04 a.m. H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 5/08/2004 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/09/2005 9:35:12 a.m. 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 5/08/2004 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 p.m. 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/08/2004 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 5/08/2004 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 5/08/2004 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 5/08/2004 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 13/04/2006 11:21:20 p.m. 1405952 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 5/08/2004 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 5/08/2004 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 5/08/2004 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/08/2004 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 5/08/2004 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/08/2004 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 5/08/2004 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 5/08/2004 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/08/2004 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 5/08/2004 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 5/08/2004 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 5/08/2004 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/08/2004 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/08/2004 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 23/01/2005 10:33:44 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
6/04/2006 11:56:02 a.m. HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/05/2006 4:38:00 p.m. 1573 C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
6/04/2006 11:44:28 p.m. HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/05/2006 4:38:00 p.m. 0 C:\Documents and Settings\Owner\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :
{F2CF5485-4E02-4F68-819C-B92DE9277049} = &Links : C:\WINDOWS\system32\ieframe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OneCareUI "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
VAS Free System Tools C:\Program Files\VAS\VAS System Tools\start.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
VAS Memory Optimizer C:\Program Files\VAS\VAS System Tools\mem.exe /ags

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mobile User VPN.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk
backup C:\WINDOWS\pss\Mobile User VPN.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe
item Mobile User VPN
Mobile User VPN C:\PROGRA~1\WATCHG~1\MOBILE~1\SafeCfg.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msconfig.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
backup C:\WINDOWS\pss\msconfig.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
item msconfig

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup C:\WINDOWS\pss\taskmgr.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
item taskmgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DellSupport
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSAgnt
hkey HKCU
command "C:\Program Files\Dell Support\DSAgnt.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxhkcmd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxpers
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxtray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickClean Imonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plguni
hkey HKCU
command C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAS Memory Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mem
hkey HKLM
command C:\Program Files\VAS\VAS System Tools\mem.exe /ags
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Defender
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MSASCui
hkey HKLM
command "C:\Program Files\Windows Defender\MSASCui.exe" -hide
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinFast Schedule
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WFWIZ
hkey HKLM
command C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
WPDShServiceObj {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/06/2006 8:27:07 a.m.

thanks again

Wayne

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 05:36 PM

You can delete this folder

C:\Documents and Settings\Owner\.housecall


Lets run one last Online Scan and check the email bases.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#11 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand

Posted 10 June 2006 - 07:58 PM

Hi there

Ran the online scanner came up with nothing! Fantastic and said there was no report...

I've tried to config msconfig went through start > run type in msconfig and came back this doesnt exist..

regards

Wayne

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 08:31 PM

Attaching a folder to the post.

Download and Unzip to the desktop,move the file Find.bat onto the desktop.

Double Click find.bat and wait for the dos window to close.

File.txt should be sitting on the desktop now,post the contents of that txt file in the next reply please.

Attached Files

  • Attached File  find.zip   150bytes   2 downloads


#13 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand
  • Local time:04:00 PM

Posted 10 June 2006 - 08:47 PM

As requested

Volume in drive C has no label.
Volume Serial Number is D091-CD5D

regards

Wayne

#14 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand

Posted 10 June 2006 - 08:49 PM

Sorry didnt follow instructions

Volume in drive C has no label.
Volume Serial Number is D091-CD5D

Directory of C:\WINDOWS\pchealth\helpctr\binaries

05/08/2004 12:00 a.m. 158,208 msconfig.exe
1 File(s) 158,208 bytes

Directory of C:\WINDOWS\system32\dllcache

05/08/2004 12:00 a.m. 158,208 msconfig.exe
1 File(s) 158,208 bytes

Wayne

#15 waynerockit

waynerockit
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:New Zealand
  • Local time:04:00 PM

Posted 11 June 2006 - 02:31 AM

Hi there

Just thought i might check out if my computer could load xp windows its still saying 'This is not a valid win32 application'

regards

Wayne




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users